Judge Dumps Lawsuit Over Google's Privacy Policy Changes

from the no-standing dept

In the last few weeks of the year, there were a bunch of stories about attempts to change Instagram's terms of service, leading to what we believed to be a completely silly class action lawsuit against the company. Of course, earlier in the year, the uproar was over Google's plans to consolidate all of its dozens of different privacy policies into one that ran across all Google services. Beyond simplifying things for both Google and users, this did one other thing that got some people worried: it allowed Google to share your info across those services (e.g. your YouTube searches could impact ads shown in Gmail, or something like that). Some of this makes a lot of sense (it's great when I do a Google search on my laptop for an address, and 10 minutes later, when I open the Google maps app on my phone, it remembers that address -- that's really useful). But, some of it could be creepy. And when things get creepy, lawsuits get filed -- as happened with Google's privacy policy.

Right before the end of the year, however, Magistrate Judge Paul Grewal, while agreeing that Google might not respect consumer's privacy as much as it should, dumped the lawsuit against the company for a variety of reasons, including a lack of standing and a failure to show any actual harm. The full filing is a good read. On the issue of standing, there are two reasons for dumping the lawsuit. First, the plaintiffs claimed that it would be costly to replace their phones, but provided no evidence that anyone actually did that.

With respect to their claims regarding the cost of replacing their Android-powered phones to escape the burden imposed by Google’s new policy, Plaintiffs fail to allege injury in fact to themselves. This alone is sufficient to dismiss Plaintiffs’ replacement-related claims.... In the consolidated complaint, Plaintiffs do not allege that they have ever purchased a replacement mobile phone for the Android-based phones at issue. While individuals who did purchase such a replacement might have standing to pursue the associated costs, by including no such allegations in their complaint, Plaintiffs stand apart.

But, even beyond that, there's the problem of what "harm" is caused by Google sharing the info between services. It may be there, but the plaintiffs didn't show it.

Plaintiffs have not identified a concrete harm from the alleged combination of their personal information across Google’s products and contrary to Google’s previous policy sufficient to create an injury in fact. As Judge Koh noted in In re iPhone Application Litig., a recent case from the Central District of California is instructive. In Spectrum Media, the plaintiffs accused an online third-party advertising network of installing cookies on their computers to circumvent user privacy controls and to track internet use without user knowledge or consent. The court held that the plaintiffs lacked Article III standing because (1) they had not alleged that any named plaintiff was actually harmed by the defendant’s alleged conduct and (2) they had not alleged any “particularized example” of economic injury or harm to their computers, but instead offered only abstract concepts...

Then there's the bizarre part of the lawsuit in which the lawyers claimed that Google's actions violate the Wiretap Act -- but the court doesn't see it.

Plaintiffs contend that, under the Wiretap Act, an interception occurred when their content from one Google product was stored on Google’s servers and then combined with information from another Google product that also was stored on Google’s servers. Plaintiffs further contend that because the Wiretap Act defines “device” broadly as “any device or apparatus which can be used to intercept a[n] . . . electronic communication,” Google’s cookies, application platforms, and servers constitute devices under that act in that they intercept information from one Google product to store on Google’s servers and then to combine with information collected by other Google products. Plaintiffs utterly fail, however, to cite to any authority that supports either the notion that a provider can intercept information already in its possession by violating limitations imposed by a privacy policy or the inescapably plain language of the Wiretap Act that excludes from the definition of a “device” a provider’s own equipment used in the ordinary course of business.

The dismissal gives the plaintiffs the ability to amend the lawsuit, and it wouldn't surprise me to see it refiled, but it's going to be difficult for them to get past those issues.

I tend to agree with Eric Goldman's summary of this whole thing:

I don't know whether I'm heartened by the way the judicial system has handled the onslaught of privacy lawsuits in 2012, or saddened by the fact that privacy plaintiffs lawyers don't seem to be getting the message. Maybe that horse has left the barn; perhaps for the rest of our careers, we're destined to see a never-ending flow of bottom-feeding lawsuits every time an Internet company sneezes. Oh joy.

Even though Judge Grewal properly flushes this P.O.S. down the toilet, it's not all hugs and kisses to Google, especially when he says:

He's right, and we should have an intelligent and cogent discussion about that. I sometimes wonder about Google's practices myself. Still, no matter how angry you are with Google's privacy practices, you should be even angrier about junk privacy lawsuits that aren't intended to, and won't, advance our interests as consumers.

Whether or not you think Google (or Instagram or anyone else) has gone too far with their terms of service or privacy policy changes, these lawsuits filed just because people don't like the policies are going nowhere.

Reader Comments

Wiretap Fail

Services providers such as Google and Facebook use a network of geodiverse servers throughout the world. Regularly, data that are given to one server are synchronized to another server in another datacenter, another city, and even another country.

If a putative plaintiff is not shown harm by his data shared between his posting in Skokie with it showing up on a server in Beijing, plaintiff would have a hard time showing that the same data, on the same server, being accessed by the same defendant (e.g google) is violating the wiretap laws by doing so from a different "service." If they refile this one these lawyers are the only ones making bank.